[PR] RANGER-5215 : Policy authroisation fails for Ranger Plugins in case of users/groups converted by Ranger userysnc as per given Regex [ranger]

Thu, 05 Jun 2025 07:41:39 -0700 


dhavalshah9131 opened a new pull request, #584:
URL: https://github.com/apache/ranger/pull/584

   
   
   ## What changes were proposed in this pull request?
   **Problem Statement:**
   
   Currently, when Ranger Usersync is configured with case conversion and 
special character replacement using regex, it transforms the original 
user/group names from the source (e.g., AD/LDAP) before storing them in the 
Ranger Admin database.
   
   **Example:**
   
   Original name in LDAP/AD: John-jacobs
   Usersync configuration:
   
   - ranger.usersync.ldap.username.caseconversion = lower
   - ranger.usersync.mapping.username.regex = s/[-]/_/g
   - Transformed and stored name in Ranger: john_jacobs
   
   **Issue:**
   
   If a Ranger plugin (e.g., Hive) uses the original name John-jacobs during 
authorization checks, it fails because Ranger Admin only recognizes the 
transformed name john_jacobs.
   
   **Error Example:**
   
   _Permission denied: user [John-jacobs] does not have [SELECT] privilege on 
[vehicle/cars/*]_ 
   **Solution:**
   
   To ensure consistency, the same transformation logic used by Usersync must 
also be applied on the plugin side before authorization. This transformation 
should be made available as a utility library packaged with the plugins.
   
   **Configurability:**
   
   This feature must be configurable at the plugin level via a property (e.g., 
ranger.plugin.<serviceType>.supports.name.transformation), allowing users to 
enable or disable it based on their environment needs.
   
   In ranger-admin-site.xml
   
   ranger.plugins.ldap.username.caseconversion
   ranger.plugins.ldap.groupname.caseconversion
   ranger.plugins.mapping.username.handler
   ranger.plugins.mapping.groupname.handler
   ranger.plugins.mapping.regex.separator
   ranger.plugins.mapping.username.regex
   ranger.plugins.mapping.groupname.regex
   
   
   ## How was this patch tested?
   
   (Please explain how this patch was tested. Ex: unit tests, manual tests)
   1.) Build successful with unit test.
   2.) Manul testing
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@ranger.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to